Third of these proxy IPs trace back to a botnet network Google just dismantled

Published: 23 April 2026
Smartproxy

A proxy network promising millions of clean residential IPs may actually be recycling infrastructure tied to one of the internet’s largest botnet ecosystems.

Researchers at Proxyway have tested Smartproxy.org’s network, sending nearly 7 million requests through its infrastructure over a week. The result was a sprawling pool of over 2 million unique IP addresses.

The research stemmed from suspicion that the network was related to IPIDEA, a malicious Chinese residential proxy network that Google took down on January 28th. When Smartproxy.org IPs were compared against a verified dataset tied to IPIDEA, the overlap was striking. 773,087 IPs matched – 38.21% of Smartproxy.org’s pool.

ADVERTISEMENT

“We’d had suspicions about Smartproxy.org’s ties to IPIDEA for a while. The provider shares several characteristics with the cluster of IPIDEA-affiliated brands,” the researchers said.

Residential IPs do rotate. They move between users and networks and can appear across multiple proxy networks over time. Some overlap is normal. But for two independent networks of this size, 38% of overlap would be statistically bizarre.

The more likely explanation is that Smartproxy.org is either reselling IPIDEA infrastructure or sourcing heavily from it.

smartproxy test
Source: Proxyway

What is IPIDEA

IPIDEA is known to have hijacked millions of PCs and Android devices, converting them into exit nodes that masked criminal and espionage operations behind the IP addresses of ordinary users.

Google explicitly noted that the network was expanding via apps such as free VPNs. Many of the apps involved did not clearly disclose that installing them would enroll the user’s device in a proxy network.

Google’s research found that IPIDEA’s network had facilitated several large botnets, including BADBOX2.0, Kimwolf, and Aisuru. Over 550 threat groups used IPIDEA’s proxies to mask malicious activity.

ADVERTISEMENT

Behind the IPIDEA name sat more than a dozen Hong Kong–incorporated brands such as PyProxy, LunaProxy, PIA S5 Proxy, 922Proxy, ABC Proxy, Cherry Proxy, IP2World, TabProxy, and others, all feeding off the same device pool.

Flat rate for a proxy is a red flag

Even before the data test, Smartproxy.org already showed signs of being part of a familiar pattern. Unlimited bandwidth for a flat fee sounds great, but real residential proxy networks have real costs.

Unless, of course, the IP supply is effectively free. In IPIDEA’s case, it effectively was, since devices were recruited through SDKs embedded in apps without proper disclosure.

“If Smartproxy.org’s IPs come from the same device pool, the same ethical concerns around consent and transparency apply to its users. In practical terms, you may be routing your traffic through devices whose owners never agreed to serve as proxies,” the researchers noted.

smartproxy test 2
Source: Proxyway

Just like IPIDEA, Smartproxy has no clear ownership. No detailed sourcing explanation or visible compliance framework could be found. All this also indicates a lack of transparency.

Cheap access, massive IP claims, and vague sourcing mirror the strategy used by multiple IPIDEA-linked brands between 2022 and 2024.

Smartproxy.org has no relationship with Decodo, the well-known proxy service that previously operated under the Smartproxy.com domain. The impostor domain was likely used to exploit brand similarity.

What does this mean for proxy users?

ADVERTISEMENT

According to researchers, Smartproxy.org's users might have multiple implications. IPIDEA's network was used by over 550 threat groups.

If the same IPs serve both Smartproxy.org customers and malicious actors, every request user route carries the accumulated reputation damage.

Anti-bot systems score IP addresses. A proxy flagged for botnet activity in one context will get challenged or blocked in another. For anyone running ad verification, SEO monitoring, or market research, this is a direct hit to data quality.

smartproxy test 3
Source: Proxyway

Proxy network persists in the shadows

Smartproxy.org is almost certainly not the only provider still drinking from IPIDEA's well. Google torched the most recognizable names – LunaProxy, ABCProxy, and the rest had their domains seized and their networks crippled. But killing a brand is not the same as killing a network.

Proxy networks run on device-level software and SDKs buried inside consumer apps. The apps are still installed on millions of phones and laptops, and the exit nodes continue to route traffic.

“Changing a brand name or registering a new domain does nothing to alter the underlying pool of devices that serve as exit nodes. The apps that recruited those devices are still installed, the SDKs are still running, and the IPs continue to route traffic," the researchers concluded.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked